At  5PM +0200 on 24/05/13 you (Dirk Jahnke-Zumbusch) wrote:
> [I wrote:]
> >
> >I didn't quite mean that: yes, that is 'passwordless' in a sense, but
> >you still have to have typed a password into kinit fairly recently.
> >
> >What I meant was that with 2.2 it's finally possible to set a list of
> >krb5 principals for imap which is different from the list in .k5login.
> >This makes it possible to create special-purpose principals, which can
> >have their keys put in a keytab, which can then log on as an ordinary
> >imap user.
> 
> perhaps I misunderstand you, but something like
> 
> kinit -k -t /path/to/keytab
> 
> authenticates w/o the need of typing a password.

Yes, but that means putting your ordinary user's key into a keytab, and
since that key can (probably) be used for a whole lot more than just
accessing IMAP, this isn't exactly very safe. The advantage of using a
dedicated principal is that you can give it the minimum rights it needs
to do its job, making the keytab much safer. You can also disable just
that principal on the KDC if it gets compromised without locking the
user out altogether.

Ben

Reply via email to